on 2008 Aug 21 12:38 PM
Hi,
I'm using BAPI_USER_CHANGE for reseting a user's pass.
The problem with this function is that it sets an initial pass => in the next logon the user will be prompted to change it.
Is there a way to change this behavior?
If not, do I have any other BAPI alternative?
tx a lot,
s.
Hi S.,
>in the next logon the user will be prompted to change it.
This is intentional for security reasons.
Best Regards,
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi dev,
I did not have time the other day to post a more thorough answer, so let me please explain what I mean.
I understand your requirements. We hear this request often, so let me state some of our (SAPs) thoughts on this matter.
- We know about the issue that BAPI_USER_CHANGE offers no official way to set a productive password.
- SAP does not want to built a simple remote callable set-productive-password function - it would not match our security rules
See Note 376856. However with the increased adoption of Identity Management solutions in many cases the controlling entity for identities transfers to the IDM system (being it SAP NW IDM, IBM TIM, SUN IDM, or other). It is quite a common requirement for customers to have a central u201Cchange passwordu201D workflow/web page on top of an IDM solution which allows the IDM solution to call multiple connectors to set the identical passwords in several systems. Naturally there are far reaching security impacts that customers need to be aware off.
That being said, the "identity management" is the task of an IDM system - but not the "identity validation" (here: "password authentication"). The "controlling entity" is still the backend system (validating the password, implementing it's own password security policy). So, please do not mix up "Identity Manager" with "Identity Provider" (like SAML defines this system entity's role). An Identity Provider (IdP) is the central place where credential validation takes place - making "synchronization" obsolete.
Unfortunately, many people believe that password authentication is the one and only way of user authentication. So, they conclude that "Single Sign-On" (logon only once and then be able to use many service providers in a system landscape) would impose the requirement for "password synchronization". SSO does not impose this requirement, though.
There could be alternatives to set a productive password:
0) Wait until SAP offers an official API for setting productive passwords.
SAP position:
- SAP strategic solution is to work with single sign-on instead of distributing passwords. This could change in the future, though.
A) Call BAPI_USER_CHANGE to set a new random initial password. Then call SUSR_USER_CHANGE_PASSWORD_RFC using this password to set the new productive password
SAP position:
We do not recommend it because there are several drawbacks and limitations. Examples:
- The central server does not know about the local password policy. It might happen that the 2nd step fails but the 1st step has already "destroyed" the old password of the user.
- The new password is transported as a normal function parameter field. Therefore, you would see the value in a trace or a dump.
Best Regards,
Matt
Hello,
I am having an issue with BAPI_USER_CHANGE. The client has the users centralized system in 250 and the program i am creating has to change any system password. So, for example, when i try to change system 700 password if i execute the FM it will throw me an error because the password change has to be done in 250, and if I do the password change in 250 it will change the password for 250, not for 700.
Do you know any other BAPI i can use or if i can set the parameters correctly in a different way to use BAPI_USER_CHANGE?
Thanks for any inputs, regards,
Gustavo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Dev Shlolm,
I have one requirement to reset the password of a user. Can you please explain How to reset password by using "BAPI_USER_CHANGE" function module....!
Thanks in Advance.
Edited by: sreelakshmi.B on Nov 4, 2009 5:15 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Can you please explain How to reset password by using "BAPI_USER_CHANGE" function module....!
Thanks in Advance.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Can you please explain How to reset password by using "BAPI_USER_CHANGE" function module....!
Thanks in Advance.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
If someone ever needs this info:
DATA lt_return TYPE bapiret2 OCCURS 1.
CALL FUNCTION 'BAPI_USER_CHANGE'
EXPORTING
username = 'USERXYZ'
password = 'newpassword123'
passwordx = 'X'
TABLES
return = lt_return.
This sets the password for USERXYZ to newpassword123. However, you should implement several checks like: May the user reset/change his password? Is the user locked, may we unlock him? etc., confirm your security manager for details.
Regards,
Simon Ging
Hi Matt,
thanks for the detailed answer.
I uinderstand SAP point of view here.
I have another question to you:
Is it possible to user ME_USER_CHANGE_PASSWORD instead the SUSR function that you specified?
(When using the .net connector I couldn't find the SUSR in the BAPI functions list)
Is there any major difference between these two?
thanks a lot,
shlom
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
>Is it possible to user ME_USER_CHANGE_PASSWORD instead the SUSR function that you specified?
I do not know. I am familiar with our discussions on this topic, but I am not a programmer and I am not an expert on BAPIs.
>1. where is the trace in which I can see the password content?
System or user trace, ST05, and dumps, ST22
>2. if I user BAPI_USER_CAHNGE - I won't have this problem? will the password sent encrypted?
I don't think so, but, again, I am not an expert here.
In a nutshell, your method is not recommended and presents serious security risks that should be discussed with the customer before implementing. It is highly recommended to implement SSO solutions instead.
Best Regards,
Matt
>
> 2. if I user BAPI_USER_CHANGE - I won't have this problem? will the password sent encrypted?
>
Well, the new initial password which is set with BAPI_USER_CHANGE would be visible in traces and dumps, too. However, it gets changed during next dialog logon. Therefore, we might accept the risk in opposite to a longterm risk if a productive password is traced.
(Encryption of the communication channel is possible if you use SNC, Secure Network Communications, but this wouldn't touch the issue about traces and dumps.)
Kind regards
Frank
Hello,
I am having an issue with BAPI_USER_CHANGE. The client has the users centralized system in 250 and the program i am creating has to change any system password. So, for example, when i try to change system 700 password if i execute the FM it will throw me an error because the password change has to be done in 250, and if I do the password change in 250 it will change the password for 250, not for 700.
Do you know any other BAPI i can use or if i can set the parameters correctly in a different way to use BAPI_USER_CHANGE?
Thanks for any inputs, regards,
Gustavo
User | Count |
---|---|
64 | |
10 | |
8 | |
7 | |
6 | |
6 | |
6 | |
6 | |
6 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.